Deny Access to No Referrer Requests

When your readers comment, the wp-comments-post.php file is accessed, does its thing, and creates the post. The user’s browser will send a “referral” line about this.

When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action direct from the server. If you are not familiar with Apache directives, then write the following in your root directory .htaccess file::

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

This will:

Detect when a POST is being made
Check to see if the post is on wp-comments-post.php
Check if the referrer is in your domain or if no referrer
Send the spam-bot BACK to its originating server’s IP address.
NOTE 1: In the 4th line, change to your without the www or any prefix for that matter.
NOTE 2: There is a slim chance that someone’s browser will not send the referral, but this is extremely rare.

This essentially deflects the spam-bot back on itself.

Taken from WordPress Codex

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.